$EventType in `im_wseventing` incorrectly parsed
RAZR
Hi, I'm testing Nxlog EE trial
And configured nxlog as WEC with im_wseventing module,
but for some reason $EventType
field Parsed to simple "AUDIT
" not AUDIT_SUCCESS
or AUDIT_FAILURE
In doc Possible values are: CRITICAL, ERROR, AUDIT_FAILURE, AUDIT_SUCCESS, INFO, WARNING, and VERBOSE
.
Example of Event:
<14>Jun 14 15:13:33 SRVTEST-00.test Microsoft-Windows-Security-Auditing[648]:
{
"MessageID": "uuid:1DB8B636-E34C-4DB5-951D-EEE30FD8F837",
"SourceName": "Microsoft-Windows-Security-Auditing",
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"EventID": 4634,
"Version": 0,
"LevelValue": 0,
"EventType": "AUDIT",
"SeverityValue": 2,
"Severity": "INFO",
"OpcodeValue": 0,
"Keywords": "0x8020000000000000",
"EventTime": "2019-06-14 15:13:33",
"RecordNumber": 3437460,
"ExecutionProcessID": 648,
"ExecutionThreadID": 4980,
"Channel": "Security",
"Hostname": "SRVTEST-00.test",
"TargetUserSid": "S-1-5-18",
"TargetUserName": "SRVTEST-00$",
"TargetDomainName": "TEST",
"TargetLogonId": "0x2b06461",
"LogonType": "3",
"Message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSRVTEST-00$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2B06461\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"Level": "Information",
"Task": "Logoff",
"Opcode": "Info",
"EventReceivedTime": "2019-06-14 15:13:35",
"SourceModuleName": "wseventin",
"SourceModuleType": "im_wseventing",
"HostIP": "192.168.5.5"
}
My nxlog config:
User nxlog
Group nxlog
Panic Soft
# default values:
PidFile /opt/nxlog/var/run/nxlog/nxlog.pid
CacheDir /opt/nxlog/var/spool/nxlog
ModuleDir /opt/nxlog/libexec/nxlog/modules
SpoolDir /opt/nxlog/var/spool/nxlog
define LOGDIR /opt/nxlog/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.log
LogFile %MYLOGFILE%
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
<Extension _resolver>
Module xm_resolver
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>
<Input wseventin>
Module im_wseventing
Address http://srvtest-12.test:80/wsman
ListenAddr 0.0.0.0
Port 80
SubscriptionName testing
Exec $HostIP = name_to_ipaddr($Hostname);
Exec log_info(to_json());
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="System">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output tofile>
Module om_file
File '/opt/nxlog/var/log/nxlog/winevent.log'
CreateDir TRUE
Exec $Message = to_json(); to_syslog_bsd();
</Output>
<Route wec_to_file>
Path wseventin => tofile
</Route>
Is it bug or trial restrictions?